TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Fundamentals

What Are TTPs? Tactics, Techniques & Procedures Explained

TTPs describe the behavior of an adversary — the most durable thing to defend against. Learn what tactics, techniques and procedures mean, with examples.

7 min readUpdated

TTPs — short for tactics, techniques, and procedures — describe the behavior of a cyber adversary: how they plan and carry out an attack. The term comes from the military and is central to modern threat intelligence because, unlike a perishable IP address or file hash, an adversary's TTPs are relatively stable. Attackers change infrastructure constantly, but they tend to reuse the methods that work — which makes TTPs the most valuable thing to detect.

If you've read about the Pyramid of Pain, you'll recognize TTPs sitting at the very top: the hardest layer for an attacker to change and therefore the most painful to deny them.

Breaking down tactics, techniques, and procedures

The three letters represent three levels of detail, from the most general to the most specific.

Tactics — the "why"

A tactic is the adversary's high-level objective at a given stage of the attack — the goal behind their actions. Examples include gaining initial access, establishing persistence, escalating privileges, or performing exfiltration. Tactics answer the question: what is the attacker trying to accomplish right now?

Techniques — the "how"

A technique is the general method used to achieve a tactic. To accomplish the tactic of initial access, an attacker might use the technique of phishing, or exploiting a public-facing application. To achieve persistence, they might use scheduled tasks or registry run keys. Techniques answer: how, in general, is the attacker doing it?

Procedures — the "exactly how"

A procedure is the specific, step-by-step implementation a particular actor uses to carry out a technique. Two groups might both use phishing (the technique), but their procedures differ: one sends a malicious OneNote attachment that launches a specific PowerShell command with a particular obfuscation, while another uses a callback-phishing lure with a unique call-center script. Procedures are the most granular and often the most distinctive — they can act like a fingerprint for attribution.

A concrete example

Imagine analyzing a real intrusion. You might describe it as:

  • Tactic: Initial Access
  • Technique: Spear-phishing with a malicious attachment
  • Procedure: An email impersonating an invoice, carrying a password-protected ZIP containing an ISO, which mounts and runs a shortcut that executes a specific loader via rundll32

The tactic and technique are shared by countless attackers; the procedure is what makes this actor recognizable. Capturing all three levels lets defenders build detections that are both broad (catch the technique) and precise (recognize a specific group).

TTPs and MITRE ATT&CK

The MITRE ATT&CK framework is essentially a giant, standardized catalog of TTPs. Its tactics map to the "T" of tactics, its techniques and sub-techniques map to techniques, and the documented real-world usage by specific groups captures procedures. ATT&CK gives every technique a unique ID (like T1566 for phishing), so analysts worldwide can describe TTPs in a shared language. This is why "TTP-based defense" and "ATT&CK-based defense" are often used interchangeably.

Why TTP-based defense is so powerful

Focusing on TTPs rather than indicators changes the economics of defense:

  • Durability. An attacker can register a new domain in minutes, but redesigning how they move through a network is expensive and risky. Detections built on behavior keep working long after indicators expire.
  • Coverage of novel attacks. A TTP-based detection can catch a brand-new piece of malware the world has never seen, because it triggers on the behavior, not a known signature.
  • Attribution. Distinctive procedures help analysts link separate incidents to the same actor, enriching operational and tactical intelligence.
  • Prioritization. Knowing which TTPs your likely adversaries use tells you exactly which detections to build first.

How to use TTPs in practice

To put TTPs to work in your program:

  1. Extract TTPs from threat reporting. When you read research about a campaign, record the tactics, techniques and procedures — not just the indicators.
  2. Map them to ATT&CK. Assign technique IDs so you can track coverage and communicate clearly.
  3. Build behavior-based detections. Translate techniques into detection logic in your EDR and SIEM.
  4. Hunt for them. Use techniques as threat-hunting hypotheses across your environment.
  5. Test with emulation. Run red/purple-team exercises that reproduce specific procedures to confirm your detections fire.

How to extract TTPs from a threat report

One of the most valuable analyst skills is reading a piece of threat research and pulling out the TTPs — not just the indicators. Here's a simple, repeatable approach:

  1. Read for behavior, not just artifacts. As you go through a report, highlight every action the attacker took ("sent a phishing email," "created a scheduled task," "dumped credentials from memory") rather than only the IPs and hashes.
  2. Assign the tactic. For each action, ask what goal it served — initial access, persistence, credential access, lateral movement, and so on.
  3. Identify the technique. Map the action to a general method and find its MITRE ATT&CK technique ID.
  4. Capture the procedure. Record the specific implementation details — the exact command, tool, or sequence — because that's what distinguishes one actor from another.
  5. Build a profile. Collect these across multiple reports about the same actor to build a TTP profile you can hunt for and detect.

The payoff is durable: while the report's indicators may be dead within days, the TTP profile you extract remains useful for months and can reveal the same actor in a future, otherwise-unrecognizable campaign. This is the core discipline behind tactical intelligence and effective threat hunting.

As you extract TTPs from more reports over time, you'll start to notice patterns: certain techniques recur across many actors, while specific procedures cluster around individual groups. Recording both in a structured way — ideally mapped to ATT&CK technique IDs — turns a pile of disconnected reports into a reusable library of adversary behavior that steadily sharpens your detection and hunting over time.

The bottom line

TTPs describe how adversaries operate, from their high-level goals (tactics) to their general methods (techniques) to their specific implementations (procedures). Because behavior is far harder to change than infrastructure, defending at the TTP level imposes real cost on attackers and stays effective over time. The starting point is recognizing the TTPs in current attacks — and our live threat intelligence feed aggregates the research that documents them, from dozens of authoritative sources, ranked by priority so the most significant campaigns rise to the top.

Frequently asked questions

What does TTP stand for in cybersecurity?

TTP stands for tactics, techniques, and procedures. Together they describe how a cyber adversary operates — their high-level goals (tactics), general methods (techniques) and specific step-by-step implementations (procedures).

What is the difference between a technique and a procedure?

A technique is the general method used to achieve a goal, such as phishing. A procedure is the specific way a particular actor carries out that technique — for example, a phishing email with a password-protected ZIP that runs a specific loader. Procedures are more granular and can fingerprint an actor.

Why are TTPs more valuable than indicators of compromise?

Indicators like IPs and file hashes are easy and cheap for attackers to change, so they perish quickly. TTPs describe behavior, which is expensive and risky for adversaries to alter, so detections built on TTPs remain effective much longer and can catch novel attacks.

Related threat intel guides

FrameworksThe MITRE ATT&CK Framework, ExplainedDetectionIndicators of Compromise (IOCs): The Complete GuideFundamentalsThe 4 Types of Threat Intelligence, ExplainedDetectionWhat Is Threat Hunting? A Practical Guide